s

    sdktr

    1 month ago
    2nd question: any hints on the concept of ‘Priviliged Access Managament’ or ‘Just In Time’ access, in relation to cebos. Do your users have these time based concepts implemented by means of a conditonal time based derivedpolicy? So when requesting ‘temporary access’ to manage a resource, a acompanying temporary policy has to be added via Admin API?
    Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    That is certainly one way to do it - another option that allows your policies to stay static is to pass in the time window as an attribute of the user and then use the time conditions in the policies to grant access.
    s

    sdktr

    1 month ago
    That one I don’t grasp completely? Do you mean storing a certain timewindow in the policy and sending the current time with the authZ request? Then evaluate whether the requested time falls into the window defined on the policy?
    Alex Olivier (Cerbos)

    Alex Olivier (Cerbos)

    1 month ago
    Something like this: Your principal object would contain attributes which define when access starts and ends
    {
      "id": "sally",
      "roles": [
        "USER"
      ],
      "attr": {
        "accessStart": "2021-10-01T10:00:00.021",
        "accessEnd": "2021-10-02T10:00:00.021"
      }
    }
    Then in your policy you could have:
    - actions: ["someAction"]
      effect: EFFECT_ALLOW
      roles:
        - USER
      condition:
        match:
          expr: now() > timestamp(request.principal.attr.accessStart) && now() < timestamp(request.principal.attr.accessEnd)